b'     SECURITY CONTROLS OVER CONTRACTOR SUPPORT\n               FOR YEAR 2000 RENOVATION\n\n\nReport No. D-2001-016               December 12, 2000\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-2885\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, D.C. 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nASD(C3I)              Assistant Secretary of Defense (Command, Control,\n                        Communication, and Intelligence)\nCOTS                  Commercial-Off-The-Shelf\nDITSCAP               DoD Information Technology Security Certification and\n                        Accreditation Process\nY2K                   Year 2000\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2001-016                                               December 12, 2000\n  (Project No. D1999AS-0052.01)\n\n                 Security Controls Over Contractor Support\n                          For Year 2000 Renovation\n\n                                  Executive Summary\n\nIntroduction. In a memorandum to the Inspector General, DoD, the Assistant\nSecretary of Defense (Command, Control, Communications, and Intelligence)\nexpressed concerns that system owners and users may have created increased\nvulnerabilities to the Defense information infrastructure and to operational readiness\nduring the year 2000 renovation processes. The Assistant Secretary asked the Inspector\nGeneral, DoD, to monitor the adherence of DoD Components to the information\nsecurity requirements of the Office of the Secretary of Defense. As of March 2000, the\nDoD year 2000 database identified 889 renovated mission-critical systems.\n\nWe conducted the audit in two phases. In phase one, we reviewed DoD policies on the\nuse of identification and authentication controls to access information systems. In phase\ntwo, we reviewed security controls at selected locations.\n\nObjectives. The purpose of the audit was to determine user adherence to DoD\ninformation systems security policy during and after year 2000 renovation efforts. In\nphase one of the audit, we reviewed identification and authentication policy within DoD\nand issued Inspector General, DoD, Report No. D-2000-058, \xe2\x80\x9cIdentification and\nAuthentication Policy,\xe2\x80\x9d December 20, 1999. In phase two, we reviewed\nimplementation of security controls at selected locations. Specifically, we reviewed\ncontrols over contractors that performed year 2000 renovations on a sample of\n159 mission-critical systems.\n\nResults. DoD Components used techniques, such as access controls, configuration\nmanagement, and code verification and validation, to monitor and control contractor\naccess to the 159 mission-critical systems in our sample that were renovated by contract\npersonnel during the year 2000 renovation effort. However, the cognizant DoD\nComponents did not assess risk for 103 of those 159 systems and did not reaccredit\n119 systems. As a result, at least seven DoD Components were not assured that\ndocumented security postures were valid. Further, potential risks to the mission-critical\nsystems were unknown and the systems may be exposed to increased risk of\nunauthorized access and modification.\n\n\n\n\n                                            i\n\x0cSummary of Recommendations. We recommend that the Chief Information Officers\nof the Army, Navy, Air Force, Marine Corps, Defense Information Systems Agency,\nDefense Logistics Agency, and Washington Headquarters Services:\n\n     \xe2\x80\xa2 Assess the potential risks to the security baseline requirements for renovated\n       systems for which risk assessments are lacking.\n\n     \xe2\x80\xa2 Accredit or reaccredit renovated systems in accordance with DoD\n       Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security Certification and\n       Accreditation Process.\xe2\x80\x9d\n\nManagement Comments. The Department of the Air Force concurred with the\nfinding and recommendations, and stated that the designated approving authorities will\ncomplete security risk assessments and the certification and accreditation process.\nWashington Headquarters Services has begun to take actions to assess the potential risk\nto the security baseline for the 20 systems that contractors renovated for the year 2000\nand to transition to the DoD Information Technology Security Certification and\nAccreditation Process. Washington Headquarters Services recognizes the importance\nof continuously assessing risk and understands that all of its components need to be\ncertified and accredited to maintain the information assurance and security posture of\nthe Defense Information Infrastructure. The Military Traffic Management Command\nconcurred with the report and stated that it was in the process of accrediting or\nreaccrediting their systems. Refer to the Finding section of the report for the complete\ndiscussion of management comments and to the Management Comments section for the\ncomplete text of the management comments.\n\nAudit Response. Washington Headquarters Services comments did not indicate a\nconcurrence or nonconcurrence. However, based on actions taken or planned, we\nconsider the comments to be fully responsive.\n\nManagement Comments Required. The Army, Navy, Marine Corps, Defense\nInformation Systems Agency, and Defense Logistics Agency did not respond to a draft\nof this report dated September 21, 2000. Accordingly, we redirected the\nrecommendations to their respective Chief Information Officers. We request comments\nto the final report by February 12, 2001.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                            i\n\n\nIntroduction\n     Background                                              1\n     Objective                                               2\n\nFinding\n     Certifying and Accrediting Information Systems After\n           Year 2000 Renovation                              3\n\nAppendixes\n     A. Audit Process\n         Scope                                               8\n         Methodology                                         9\n         Management Control Program Review                   9\n         Prior Coverage                                     10\n     B. Renovated Systems Sampled                           11\n     C. Techniques to Monitor Contractor Renovations        19\n     D. Report Distribution                                 21\n\nManagement Comments\n     Department of the Air Force                            25\n     Washington Headquarters Services                       26\n     Army Military Traffic Management Command               28\n\x0cIntroduction\n           In a memorandum dated May 5, 1999, the Assistant Secretary of Defense\n           (Command, Control, Communications, and Intelligence) (ASD [C3I]) expressed\n           concerns that system owners and users may have created increased\n           vulnerabilities to the Defense information infrastructure and to operational\n           readiness during the year 2000 (Y2K) renovation processes. The ASD (C3I)\n           asked the Inspector General, DoD, as part of ongoing audits, to monitor DoD\n           Components\xe2\x80\x99 adherence to the Office of the Secretary of Defense (OSD)\n           information security requirements and specifically addressed requirements\n           relating to identification and authentication controls outlined in OSD\n           Administrative Instruction (AI) 26-1.\n\n           In phase one of this audit, we reviewed DoD Component policies on the use of\n           identification and authentication controls to access information systems. A\n           comparison of the status of Service Component and Defense Agency policies\n           and the requirements of AI 26-1 is discussed in Inspector General, DoD, Report\n           No. D-2000-058, \xe2\x80\x9cIdentification and Authentication Policy,\xe2\x80\x9d\n           December 20, 1999.\n\n           In phase two, we focused on the application of security controls over\n           contractor-performed Y2K renovations. We selected a sample of mission-\n           critical systems and developed a questionnaire to determine the techniques DoD\n           Components used to monitor and control contractor access during and after Y2K\n           renovations. See Appendix A for a discussion of the sample selection process\n           and the contents of the questionnaire.\n\nBackground\n           The Y2K renovation efforts exposed DoD mission-critical systems to many\n           threats and vulnerabilities. According to the Department of Defense Year 2000\n           Management Plan, September 1999, Appendix B, the Y2K renovation efforts\n           provided an opportunity to introduce or exploit existing vulnerabilities within\n           any information system or network. Such vulnerabilities could be used to attack\n           the information, information systems, and networks that comprise the DoD\n           information infrastructure and allow opportunities to implant backdoor software\n           routines1 or malicious code,2 such as viruses3 and worms.4 The Y2K renovation\n\n1\n    Backdoors are hidden network utility programs that allow the removal of computer system controls.\n2\n    Malicious software or code is software written to cause damage or deplete resources of the target\n    computer.\n3\n    Viruses are software programs that are capable of replication and capable of wreaking great harm on a\n    system. Viruses first copy themselves to additional program files, infect the system programs, and\n    modify the programs to include a possible evolved copy of the virus.\n4\n    Worms may replicate through an entire network, consuming computer resources, such as memory and\n    bandwidth, and slowing down computers and servers.\n\n\n\n                                                      1\n\x0c    process required considerable contractor support and allowed contractors to gain\n    full access to DoD information systems undergoing renovation. The Y2K\n    renovation effort also provided Government personnel, and others associated\n    with Y2K testing and evaluation, with increased access to mission-critical\n    systems.\n\n    Year 2000 renovated systems are subject to DoD Directive 5200.28, \xe2\x80\x9cSecurity\n    Requirements for Automated Information Systems (AISs),\xe2\x80\x9d March 21, 1988,\n    which provides for reaccreditation of information technology systems that\n    undergo changes to the associated environment. Additionally, DoD\n    Directive 5200.40, \xe2\x80\x9cDoD Information Technology Security Certification and\n    Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997, prescribes the security\n    accreditation for information technology systems. The security posture of the\n    defense information infrastructure depends on certifying and accrediting systems\n    for effective information security.\n\n           Certification. Certification is the comprehensive evaluation of technical\n    and nontechnical security features of an information system made in support of\n    the accreditation process. Certification establishes the extent that a particular\n    system design and implementation meet specified security requirements.\n\n           Accreditation. Accreditation is the formal security declaration by an\n    authorized official to approve the operation of an information technology system\n    or network. The accreditation describes the definitive baseline of security\n    operations and the particular security mode using a prescribed set of safeguards.\n    Accreditation is based on security assumptions that tie certified hardware and\n    software of each system to the configuration of the computing environment.\n\nObjective\n    The audit objective was to determine user adherence to DoD information\n    systems security policy during and after Y2K renovation efforts. We reviewed\n    implementation of security controls at selected locations. Specifically, we\n    reviewed controls over contractors that performed Y2K renovations on mission-\n    critical systems. See Appendix A for a discussion of the audit scope,\n    methodology, and a summary of prior coverage related to the audit objective.\n\n\n\n\n                                        2\n\x0c            Certifying and Accrediting Information\n            Systems After Year 2000 Renovation\n            DoD Components used various security measures, such as access\n            controls, configuration management, and code verification and\n            validation, to control and monitor contractor access to 159 mission-\n            critical systems during the year 2000 (Y2K) renovation process.\n            However, 7 of the 8 DoD Components with systems in our sample did\n            not assess the potential risk related to the renovation efforts for 103 of\n            159 contractor-renovated systems and did not reaccredit 119 systems.\n            The condition existed because DoD personnel did not adhere to\n            established defense information security policies and procedures relating\n            to system modifications. As a result, DoD Components were not\n            assured that documented security postures were valid. Further, potential\n            risks to the mission-critical systems were unknown and the systems may\n            be exposed to increased risk of unauthorized access or modification.\n\nDoD Mission-Critical Systems\n     Y2K Contractor-Renovated Mission-Critical Systems. As of March 2000,\n     the DoD Y2K database identified 889 Y2K renovated mission-critical systems.\n     We reviewed a sample of mission-critical systems to determine how DoD\n     monitored and controlled contractor access to the systems during the Y2K\n     renovation process. We focused on 159 systems that were contractor-renovated\n     or renovated using a combination of government and contractor personnel. See\n     Appendix A for details on the DoD Y2K database, the sample selection process,\n     and a description of the sample reviewed. Appendix B provides a list of the\n     159 systems reviewed and Appendix C provides details on the techniques DoD\n     Components used to monitor contractor renovation of the 159 systems.\n\nCertification and Accreditation Process\n     DoD Components did not assess the potential risk related to the renovation\n     efforts for 103 of 159 contractor-renovated systems and did not reaccredit\n     119 systems. The DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology\n     Security Certification and Accreditation Process,\xe2\x80\x9d December 30, 1997, outlines\n     the security certification and accreditation process for unclassified and classified\n     information technology. The DITSCAP is composed of four phases: definition,\n     verification, validation, and post accreditation.\n\n     The definition phase focuses on understanding the mission, environment, and\n     architecture to determine the security requirements and level of effort required\n     to obtain accreditation and establishes a certification schedule. The agreement is\n     documented in the System Security Authorization Agreement. The verification\n     phase focuses on producing a system that is ready for certification testing, while\n     the validation phase confirms the compliance of the system with the information\n\n\n                                          3\n\x0c    contained in the System Security Authorization Agreement. The validation\n    phase provides the evidence required to support the system accreditation. The\n    definition, verification, and validation phases are repeated as often as necessary\n    to obtain an accredited system. The post accreditation phase includes those\n    activities necessary for continuing operation of the accredited system in its\n    environment and to address changing threats. The objective of this phase is to\n    ensure secure system management, operation, and maintenance to preserve an\n    acceptable level of residual security risk. The post accreditation phase continues\n    until the information system is removed from service, a major change is planned\n    for the system, or a periodic compliance validation is required. If the system\n    changes or the periodic validation requires, the DITSCAP process starts over at\n    the definition phase.\n\n    Status After Y2K. After Y2K renovations, equipment, architecture, security\n    requirements previously agreed to and documented in the System Security\n    Authorization Agreement were no longer valid. Specifically, DITSCAP\n    requires the Information System Security Officer to determine the extent the\n    changes affect the security posture of either the information system or the\n    computing environment. However, DoD Components did not comply with the\n    DITSCAP to reassess the systems security posture subsequent to modifications\n    made to the mission-critical systems during Y2K.\n\nRisk Assessments and Post-Accreditation\n    Risk Assessments. Risk assessment and risk management are ongoing efforts\n    that should be performed throughout system development and renovation\n    processes. Risk assessment includes analyzing threats to and vulnerabilities of\n    information systems and the potential impact that the loss of information or\n    capabilities has on national security. The resulting analyses are used to identify\n    appropriate and effective security measures to ensure the protection of\n    information. Risk assessments should also consider data sensitivity and integrity\n    and the range of risks the systems and data may be subject to, including risks\n    posed by authorized internal and external users, and unauthorized outsiders who\n    may try to break into the systems. Additionally, such analyses should include\n    reviews of systems and network configurations and observations and testing of\n    existing security controls. Although DoD Components should periodically\n    perform a formal comprehensive risk assessment, risk should be assessed\n    whenever there is a change in operation, technology, or outside influences.\n    However, on completion of the contractor Y2K renovations, DoD Components\n    completed initial or revised risk assessments for only 56 of the 159 mission-\n    critical systems renovated. Consequently, the DoD Components responsible for\n    the remaining 103 systems were unaware of the risk their systems faced after\n    renovation.\n\n    Reaccreditation. Changes in the information system\xe2\x80\x99s configuration,\n    operational mission, computer environment, or to the configuration of the\n    computing environment may invalidate the original security assumptions and\n    mandate reaccreditation. Therefore, as a minimum, DoD should reaccredit its\n    automated information system every 3 years and reaccredit the system\n    frequently based on system changes and modifications. Of the 56 mission-\n\n\n                                        4\n\x0c    critical systems that received initial or revised risk assessments, DoD\n    Components reaccredited only 40 of those systems after the completion of the\n    contractor Y2K renovations. When asked about the lack of risk assessments,\n    accreditations, and reaccreditations, various DoD Components responded that\n    they were not aware that the process was required or simply stated that the\n    process was not performed. The table below shows the status of risk\n    assessments and reaccreditations of mission-critical systems after the contractor\n    Y2K renovations. However, until all mission-critical systems are accredited or\n    reaccredited, DoD mission-critical systems will remain vulnerable to unknown\n    threats.\n\n\n\n                         Table 1. Status After Y2K Renovation\n\n                              Contractor           Risk Assessments   Reaccreditation\n                              Renovated              Yes     No        Yes      No\n\n      Army                               45            25   20          9       36\n      Navy                               34             9   25          9       25\n      Air Force                          16             7    9          7         9\n      Marine Corps                       14             0   14          0       14\n      DISA                               23            15     8        15         8\n      DLA                                7              0     7         0         7\n      WHS                             20                0   20          0       20\n\n\n             Total                  159                56   103        40      119\n\n\n      DISA    Defense Information Systems Agency\n\n      DLA     Defense Logistics Agency\n      WHS     Washington Headquarters Services\n\n\n\n\nConclusion\n    Despite successful Y2K changes and modifications, more needs to be done to\n    minimize the security risk for renovated systems. All DoD Components that\n    renovated systems for the Y2K conversion should consider the results of this\n    audit and the security posture of those systems.\n\n\n\n\n                                                   5\n\x0cRecommendations, Management Comments, and Audit\n  Response\n    Revised and Redirected Recommendations. Based on the responses received,\n    we redirected the recommendation to the respective Component Chief\n    Information Officers.\n\n    We recommend that the Chief Information Officers of the Army, Navy, Air\n    Force, Marine Corps, Defense Information Systems Agency, Defense\n    Logistics Agency, and Washington Headquarters Services:\n\n          1. Assess the potential risks to the security baseline requirements for\n    renovated systems for which risk assessments are lacking.\n\n           2. Accredit or reaccredit renovated systems in accordance with DoD\n    Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security Certification\n    and Accreditation Process.\xe2\x80\x9d\n\n    Department of the Air Force Comments. The Department of the Air Force\n    concurred with the finding and recommendations. The designated approving\n    authorities for the nine Air Force systems identified in the audit will accomplish\n    security risk assessments by March 1, 2001, and complete the certification and\n    accreditation process by December 1, 2001. The complete text of the Air Force\n    comments can be found in the Management Comments section of the report.\n\n    Washington Headquarters Services Comments. Washington Headquarters\n    Services has begun to take actions to assess the potential risk to the security\n    baseline for the 20 systems that contractors renovated for the year 2000 and to\n    transition to the DoD Information Technology Security Certification and\n    Accreditation Process. Washington Headquarters Services recognizes the\n    importance of continuously assessing risk and understands that all of its\n    components need to be certified and accredited to maintain the information\n    assurance and security posture of the Defense Information Infrastructure. The\n    complete text of the Washington Headquarters Services comments can be found\n    in the Management Comments section of the report.\n\n    Audit Response. Washington Headquarters Services comments did not indicate\n    a concurrence or nonconcurrence. However, based on actions taken or planned,\n    we consider the Washington Headquarters Services comments to be fully\n    responsive.\n\n    Military Traffic Management Command Comments. Although not required\n    to comment, the Military Traffic Management Command concurred with the\n    recommendations and stated that it was in the process of accrediting or\n    reaccrediting their systems. The complete text of the Military Traffic\n    Management Command comments can be found in the Management Comments\n    section of the report.\n\n\n\n\n                                        6\n\x0cAudit Response. The Military Traffic Management Command has taken\nresponsive action.\n\nManagement Comments Required. The Army, Navy, Marine Corps, Defense\nInformation Systems Agency, and Defense Logistics Agency did not respond to\na draft of this report dated September 21, 2000. Accordingly, we redirected the\nrecommendations to their respective Chief Information Officers. We request\ncomments to the final report by February 12, 2001.\n\n\n\n\n                                   7\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. We obtained a list of the DoD mission-critical systems from\n    the DoD Y2K database to determine the number of systems renovated for Y2K.\n    According to the Y2K database as of March 2000, DoD Components identified\n    889 renovated mission-critical systems. Due to constraints related to resources,\n    time and other factors, we excluded from the sample universe intelligence\n    systems, systems located at the Joint Staff and Commander-in-Chief locations,\n    and DoD Components with less than 10 renovated systems. We identified the\n    locations with the most systems and judgmentally selected a sample of systems\n    at each location. We selected 330 renovated systems for review.\n\n\n                             Figure 2. DoD Mission-Critical Systems\n                                       Renovated for Y2K\n\n\n                           59                                 237\n                   Commander-in-Chief                     Intelligence\n                      & Joint Staff\n\n                                                                    16\n                                                              Other Defense\n                                                                Agencies\n                            577\n                       Mission Critical\n                          Systems\n                                      889 Renovated Systems\n\n\n\n\n    Sample Description. We relied on DoD Components to identify contractor-\n    renovated systems, Government-renovated systems, and systems that did not\n    require renovation. We provided a questionnaire for each of the 330 systems.\n    Of the 330 systems identified, 159 systems were contractor-renovated or\n    renovated using a combination of government and contractor personnel,\n    122 systems were renovated by government personnel, 37 systems were not\n    renovated, and 12 systems were not specifically identified. We reviewed and\n    summarized data pertaining only to the 159 contractor-renovated systems. The\n    questionnaire identified access controls, background checks, configuration\n    management, and code verification and validation as techniques that DoD used\n    to monitor and control contractor access during Y2K renovation. We\n    summarized the responses to determine how each sampled DoD location\n    monitored or controlled contractors used in the Y2K renovation effort.\n\n\n\n                                           8\n\x0c    DoD-Wide Corporate-Level Government Performance and Results Act\n    (GPRA) Coverage. In response to the GPRA, the Secretary of Defense\n    annually establishes DoD-wide corporate-level goals, subordinate performance\n    goals, and performance measures. However, the Secretary of Defense had not\n    established any GPRA goals for Information Assurance.\n\n    DoD Functional Area Reform Goals. Most major DoD functional areas have\n    also established performance improvement reform objectives and goals. This\n    report pertains to the achievement of the following functional area objectives\n    and goals:\n\n               Information Technology Functional Issue Area.\n               Objective: Ensure DoD vital information resources are secure and\n               protected. Goal: Improve acquisition processes and regulations.\n               (DoD-5.2) Goal: Assess information assurance posture of DoD\n               operational systems. (ITM-4.4)\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Information Management and Technology high-risk area.\n\nMethodology\n    Audit Type, Dates, and Standards. We performed this economy and\n    efficiency audit from February through August 2000, in accordance with\n    auditing standards issued by the Comptroller General of the United States, as\n    implemented by the Inspector General, DoD.\n\n    Use of Computer-Processed Data. To achieve the audit objectives, we relied\n    on computer-processed data contained in the DoD Y2K database. Our review of\n    system controls and the results of data tests showed an error rate that casts doubt\n    on the validity of the data. However, when the data are reviewed in context with\n    other available evidence, we believe that the opinions, conclusions, and\n    recommendations in this report are valid.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\nManagement Control Program Review\n    We did not review the management control program related to the overall audit\n    objective because DoD designated information assurance as a material\n    management control weakness in the FY 1999 Annual Statement of Assurance.\n\n\n\n\n                                         9\n\x0cPrior Coverage\n\n    General Accounting Office\n\n    GAO reports can be accessed over the Internet at http://www.gao.gov.\n\n    GAO Report No. T-NSIAD-00-148, \xe2\x80\x9cDoD Personnel: Weaknesses in Security\n    Investigation Program Are Being Addressed,\xe2\x80\x9d April 6, 2000.\n\n    GAO Report No. AIMD-00-55, \xe2\x80\x9cComputer Security: FAA Needs to Improve\n    Controls Over Use of Foreign Nationals to Remediate and Review Software,\xe2\x80\x9d\n    December 23, 1999.\n\n    Inspector General, DoD\n\n    The DoD audit and inspection agencies issued over 200 reports on the DoD\n    Y2K conversion, including about 185 reports by the Inspector General, DoD.\n    In addition, there have been numerous reports on information security matters,\n    although those reports are generally classified or For Official Use Only. The\n    text of the releasable Inspector General, DoD, reports is available on-line at\n    http://www.dodig.osd.mil.\n\n\n\n\n                                       10\n\x0cAppendix B. Renovated Systems Sampled\n\n                                                                         Risk\n     Component                                              Contractor Assessment Reaccreditation\n     Organization System Name                               Renovated Yes No       Yes      No\n\nArmy Systems\n1  CCSLA1        Army Computer Security Commodity               X        X                   X\n                 Logistics Accounting Information\n                 Management System\n2    CECOM2      Message Switch (SEC)                           X        X                   X\n3    CECOM2      Army Switch Program                            X        X                   X\n4    CECOM2      ASAS - All Source (BLOCK I) (SEC)              X        X           X\n5    CECOM2      ASAS - Comm Control System (BLOCK              X        X           X\n                 I) (SEC)\n6    CECOM2      ASAS - Remote Work Station (BLOCK I)           X        X           X\n                 (SEC)\n7    CECOM2      ASAS - SS/EAC (BLOCK I) (SEC)                  X        X           X\n8    CECOM2      Cont Central Comp AN/FSC-115, GSC-             X        X                   X\n                 63 (SEC)\n9    CECOM2      MLRS - Fire Direction Sys, AN/GYK-37           X              X     X\n                 (SEC)\n10   CECOM2      MSE Network Planning Term AN/UYK-              X              X             X\n                 100 (SEC)\n11   CECOM2      System Control Center, AN/TYQ-46(V)2           X        X           X\n                 (SEC)\n12   CECOM2      Satellite Configuration Control Element        X        X                   X\n                 An/FSC-91 (SEC)\n13   CECOM2      Satellite Communications Set (SCS) (SEC)       X        X                   X\n14   CECOM2      Trailblazer, AN/TSQ-138 (SEC)                  X              X             X\n15   ILSC3       Standard Depot System                          X        X                   X\n16   LOGSA4      Army Airlift Clearance Authority               X              X             X\n17   LOGSA4      Army Total Asset Visibility                    X              X             X\n18   LOGSA4      DoD Address Directory                          X              X             X\n19   LOGSA4      Logistics Intelligence File                    X              X             X\n20   LOGSA4      Unit Movement Visibility                       X              X             X\n21   LSSC5       Commodity Command Standard System              X        X                   X\n22   STRICOM6    Close Combat Tactical Trainer                  X        X                   X\n23   MTMC7       Automated Air Load Planning System             X        X                   X\n\n\n\n\nFootnotes/Acronyms defined on pages 17 and 18\n\n\n                                              11\n\x0c                                                                        Risk\n      Component                                           Contractor Assessment Reaccreditation\n      Organization   System Name                          Renovated Yes No       Yes      No\n\nArmy Systems (cont\xe2\x80\x99d)\n24 MTMC7            Asset Management System                   X       X                    X\n25 MTMC7            CONUS Freight Management System           X             X              X\n          7\n26 MTMC             Integrated Booking System                 X       X                    X\n27 MTMC7            Integrated Computerized Deployment        X       X            X\n                    System\n28 MTMC7            Worldwide Port System                     X             X              X\n29 PEOC3S8          AFATDS A97                                X             X      X\n30 PEOC3S8          Enhanced Switch Operations Program        X       X                    X\n31 PEOC3S8          Global Command and Control System -       X       X                    X\n                    Army\n32 PEOC3S8          Global Command and Control System -       X       X                    X\n                    Army\n33 PEOC3S8          Integrated Meteorological System          X       X                    X\n                    (IMETS) Block II\n34 PEOC3S8          Joint Collection Management Tools         X             X              X\n35 PEOC3S8          Airborne Reconnaissance Low -             X             X              X\n                    COMINT\n36 PEOIEW9          Airborne Reconnaissance Low -             X             X              X\n                    Multifunction\n37 PEOIEW9          Guardrail/Common Sensor System 1,         X             X              X\n                    AN/USD-9D\n38 PEOIEW9          Guardrail/Common Sensor System 3          X             X              X\n                    AN/USD-9B\n39 PEOIEW9          Guardrail/Common Sensor System 4,         X             X              X\n                    AN/USD-9C\n40 PEOSTAMIS10 Standard Army Ammunition System-               X       X            X\n                    Modernization\n41 PEOSTAMIS10 Standard Army Maintenance System - 1           X             X              X\n                    & 2 Rehost (TACCS Replacement)\n42 PEOSTAMIS10 Standard Army Retail Supply System             X       X                    X\n                    Gateway\n43 PEOSTAMIS10 Standard Army Retail Supply System             X             X              X\n                    Level 1 Objective\n44 PEOSTAMIS10 Standard Army Retail Supply System -           X       X                    X\n                    2AD\n45 PEOSTAMIS10 Transportation Coordinators Automated          X             X              X\n                    C2 Information System\n\n                     Total Army                              45       25    20     9      36\n\n\n\n\nFootnotes/Acronyms defined on pages 17 and 18\n\n\n                                            12\n\x0c                                                                          Risk\n     Component                                              Contractor Assessment Reaccreditation\n     Organization System Name                               Renovated Yes      No  Yes     No\n\nNavy Systems\n\n46   NAVAIR11    AN/TPX-42A(V) Air Traffic Control             X               X            X\n                 Direct Altitude and Identity Readout\n47   NAVAIR11    Integrated Voice Communications               X               X            X\n                 Switching System (IVCSS)\n48   NAVAIR11    Airfield Lighting Control System              X               X            X\n                 (AFLICS)\n49   NAVAIR11    AN/ASM-608 IMUTS                              X               X            X\n50   NAVAIR11    Theater Mission Planning Center               X               X            X\n51   NAVAIR11    Afloat Planning System                        X               X            X\n52   NAVAIR11    Joint Service Imagery Processing System-      X               X            X\n                 NAVY\n53   NAVAIR11    Tactical Automated Mission Planning           X               X            X\n                 System\n54   NAVAIR11    EA-6B TSQ-142 (V5/6) TEAMS Software           X               X            X\n                 Release 205.04\n55   NAVSEA12    Navigation Command and Control System         X               X            X\n                 (NAV/C2)\n56   NAVSEA12    Cooperative Engagement Capability             X               X            X\n                 Baseline 2\n57   NAVSEA12    Advance Combat Direction System BLK 1         X               X            X\n                 (LHD 1, CV 67,69 ONLY)\n58   NAVSEA12    Advance Signal Processor                      X               X            X\n59   NAVSEA12    AN/BSY-2 Submarine Combat System              X               X            X\n60   NAVSEA12    CCS REV 5.5                                   X               X            X\n61   NAVSEA12    CCS REV 6.3                                   X               X            X\n62   SPAWAR13    Ported SNAP I Shipboard Non-Tactical          X        X            X\n                 ADP Program\n63   SPAWAR13    NALCOMIS IMA                                  X        X            X\n64   SPAWAR13    NALCOMIS OMA                                  X        X            X\n65   SPAWAR13    Food Service Management System                X        X            X\n66   SPAWAR13    Automated Travel Order System                 X        X            X\n67   SPAWAR13    Aviation Maintenance Material                 X        X            X\n                 Management\n68   SPAWAR13    TLMS                                          X        X            X\n69   SPAWAR13    NTCSS-DANA Desk Top Environment               X        X            X\n70   SPAWAR13    Ported Snap II Shipboard Non-Tactical         X        X            X\n                 ADP Program\n71   SPAWAR13    Multilevel Mail Server                        X               X            X\n72   SPAWAR13    NOVA                                          X               X            X\n73   SPAWAR13    Integrated Submarine Automated                X               X            X\n                 Broadcast Processing System - ASHORE\n\nFootnotes/Acronyms defined on pages 17 and 18\n\n\n                                              13\n\x0c                                                                            Risk\n     Component                                                Contractor Assessment Reaccreditation\n     Organization System Name                                 Renovated Yes     No   Yes     No\n\nNavy Systems (cont\xe2\x80\x99d)\n74   SPAWAR13       NATO Interoperable Submarine                 X              X             X\n                    Broadcast System\n75   SPAWAR13       Integrated Verdin Transmit Terminal          X              X             X\n76   NAVSUP14       Uniform Automated Data PRCSS SYS             X              X             X\n77   NAVSUP14       Residual Asset Management                    X              X             X\n78   NAVSUP14       Advanced Tracebility & Control-Navy          X              X             X\n79   NAVSUP14       UICP Transition                              X              X             X\n\n                    Total Navy                                   34       9     25     9      25\n\nAir Force Systems\n80   AFMC15         Air Force Key Data Management                X              X             X\n                    System\n81   AFMC15         Joint Tactical Information Distribution      X              X             X\n                    System\n82   AFMC15         Portable Flight Planning Software            X              X             X\n83   AFMC15         Comprehensive Engine Management              X        X            X\n                    System\n84   TRANSCOM16     Analysis of Mobility Platform                X        X                   X\n85   TRANSCOM16     Defense Medical Regulating Information       X              X      X\n                    System\n86   TRANSCOM16     Automated Patient Evacuation System          X              X      X\n\n87   TRANSCOM16 Global Transportation Network                    X              X             X\n88   AFMC15     Execution and Prioritization of Repairs          X        X                   X\n                Support System\n89   AFMC15     Item Manager Wholesale Requisition               X              X             X\n                Process\n90   AFMC15     Sustainability Assessment Module                 X              X             X\n91   AFMC15     Combat Ammunition System - Air                   X        X            X\n                Logistics Center\n92   AFMC15     Combat Ammunition System (Base                   X        X            X\n                Level)\n93   AFMC15     Combat Ammunition System -                       X        X            X\n                Command\n94   AFMC15     Combat Ammunition System Deployable              X        X            X\n95   AFMC15     Cargo Movement Operations System                 X              X             X\n\n                    Total Air Force                              16       7     9      7       9\n\n\n\n\nFootnotes/Acronyms defined on pages 17 and 18\n\n\n                                               14\n\x0c                                                                         Risk\n    Component                                              Contractor Assessment Reaccreditation\n    Organization System Name                               Renovated Yes No Yes           No\n\nMarine Corps Systems\n96 USMC17       Contract Divisions Document                    X             X             X\n97 USMC17       Publication System                             X             X             X\n          17\n98 USMC         Item Applications                              X             X             X\n99 USMC17       MCLB Automated Information System              X             X             X\n                Transition Router\n100 USMC17      Material Return Program                        X             X             X\n101 USMC17      Automated Procurement                          X             X             X\n102 USMC17      Technical Data Management                      X             X             X\n103 USMC17      Provisioning Subsystem                         X             X             X\n104 USMC17      Mechanization of Warehouse and Storage         X             X             X\n105 USMC17      Transportation Management System               X             X             X\n106 USMC17      Store Accounting Subsystem                     X             X             X\n107 USMC17      Allotment Accounting Subsystem                 X             X             X\n108 USMC17      Asset Tracking for Logistics and Supply        X             X             X\n                System\n109 USMC17      Essex Replacement System                       X             X             X\n\n                 Total Marine Corps                           14       0     14    0      14\n\nDefense Information Systems Agency\n110 D218         DISN-Telecommunications Management            X             X             X\n                 System-C\n111 D319         Defense Satellite Communications System       X       X           X\n112 D319         Automatic Digital Network                     X             X             X\n113 D319         Bosnia C2 Augmentation                        X       X                   X\n       19\n114 D3           Defense Red Switch Network                    X       X           X\n115 D319         Enhanced Pentagon Capability                  X       X           X\n116 D319         Defense Switched Network                      X             X     X\n117 D319         Defense Information Systems Network-          X             X     X\n                 Integrated Digital Network Exchange\n118 D319         Joint Spectrum Management System              X       X           X\n                 (JSMSw)\n119 D319         Frequency Resource Records System DCF         X       X           X\n120 D319         Frequency Resource Records System CCF         X       X           X\n121 D620         Global Command and Control System             X       X           X\n                 V.30\n122 D620         Global Command and Control System             X       X           X\n                 JOPES Editing Tools\n123 D620         GSSC of Resources and Training System         X       X           X\n       20\n124 D6           National C2 System-Massage Handler            X       X                   X\n\n\n\nFootnotes/Acronyms defined on pages 17 and 18\n\n\n                                              15\n\x0c                                                                            Risk\n      Component                                               Contractor Assessment   Reaccreditation\n      Organization   System Name                              Renovated Yes     No     Yes     No\n\nDefense Information Systems Agency (cont\xe2\x80\x99d)\n125 D620         Anti-Drug Network                               X       X                     X\n126 D620         Status of Readiness and Training                X       X             X\n127 D620         Common Operating Picture UB 3.0.2.5             X              X      X\n128 DISA21       DISA Internal Network                           X       X             X\n129 JECPO22      DoD Electronic Business Exchange                X       X             X\n130 JITC23       Corporate Database for Windows                  X              X              X\n         23\n131 JITC         Database Commitment Accounting System           X              X              X\n132 JITC23       Microcomputer Message Analysis System -         X              X              X\n                 PJIES\n\n                  Total Defense Information                      23      15     8      15       8\n                  Systems Agency\n\nDefense Logistics Agency\n133 DSDC24        Standard Automated Management Material         X              X              X\n                  (PEDE)\n134 DSDC24         Mechanization of Contract Administration      X              X              X\n                  Services\n135 DSDC24        Alerts                                         X              X              X\n136 DSDC24        Base Operations Support System                 X              X              X\n137 DSDC24        Distribution Standard System                   X              X              X\n138 DSDC24        Defense Reutilization and Marketing            X              X              X\n                  Automated Information System\n139 DSDC24        Defense Fuels Automated Management             X              X              X\n                  System\n\n                  Total Defense Logistics Agency                 7       0      7       0       7\n\nWashington Headquarters Service Systems\n140 C&D25      Correspondence Control System                     X              X              X\n141 C&D25      Directives Issuance Tracking System               X              X              X\n        26\n142 P&S        Adjucation Facility Tracking System               X              X              X\n143 P&S26      Personnel & Security Database Application         X              X              X\n144 P&S26      Senior Executive Service Titles                   X              X              X\n145 P&S26      Military Personnel Tracking System - WHS          X              X              X\n146 RE&F27     Administrative Assignment Rental                  X              X              X\n               Management System/ Rental System\n147 RE&F27     Contract Guard Service                            X              X              X\n\n\n\n\nFootnotes/Acronyms defined on pages 17 and 18\n\n\n                                                16\n\x0c                                                                     Risk\n       Component                                     Contractor   Assessment Reaccreditation\n       Organization   System Name                    Renovated    Yes    No   Yes     No\n\nWashington Headquarters Service Systems (cont\xe2\x80\x99d)\n\n148   RE&F27      Day Care Tracking System               X               X             X\n149   RE&F27      Emergency Contract System              X               X             X\n150   RE&F27      Fund Analysis System                   X               X             X\n151   RE&F27      Inventory Property Management          X               X             X\n                  Information System\n152   RE&F27      Parking Control Applications           X               X             X\n153   RE&F27      Personnel Action Tracking System       X               X             X\n154   RE&F27      Phone Record Tracking System           X               X             X\n155   RE&F27      Pulaski Parking Permit Tracking        X               X             X\n                  System\n156   RE&F27      Reimbursable Project Worksheet         X               X             X\n157   RE&F27      Reimbursable Work Orders               X               X             X\n158   RE&F27      SEMD Tracking Systems                  X               X             X\n159   RE&F27      Integrated Property Management         X               X             X\n                  Information System\n\n                  Total Washington Headquarters         20         0     20     0      20\n                  Services\n\n\n                  Total DoD Systems                     159        56   103     40    119\n\n\n\n\n        Component Organization Descriptions\n\n        1.       CCSLA     CECOM Communications Security Logistics Agency\n        2.       CECOM     Communications Electronics Command\n        3.       ILSC      Industrial Logistics Systems Center\n        4.       LOGSA     Logistics Support Activity\n        5.       LSSC      Logistics Systems Support Center\n        6.       STRICOM   Simulation, Training & Instrumentation Command\n        7.       MTMC      Military Traffic Management Command\n        8.       PEOC3S    Program Executive Office for Command, Control, and\n                            Computers Systems\n        9.       PEOIEW    Program Executive Office\n        10.      PEOSTAMIS Program Executive Office Standard Army Management\n                            Information Systems\n        11.      NAVAIR    Naval Air Command\n        12.      NAVSEA    Naval Sea Command\n        13.      SPAWAR    Space & Naval Warfare Systems Command\n        14.      NAVSUP    Naval Supply Systems Command\n        15.      AFMC      Air Force Materiel Command\n\n\n                                               17\n\x0c16.   TRANSCOM Transportation Command\n17.   USMC     United States Marine Corps\n18.   D2       Command, Control, Communications, Computer and\n                Intelligence\n19.   D3       Operations\n20.   D6       Engineering and Information\n21.   DISA     Defense Information System Agency\n22.   JECPO    Joint Electronic Commerce Program Office\n23.   JITC     Joint Interoperability Test Command\n24.   DSDC     Defense Logistics Agency Systems Design Center\n25.   C&D      Correspondence & Directives\n26.   P&S      Personnel & Security\n27.   RE&F     Real Estate & Facilities\n\n\n\n\n                            18\n\x0cAppendix C. Techniques to Monitor Contractor\n            Renovations\n    We reviewed various techniques DoD Components used to control or monitor\n    contractor access to the mission-critical systems. These techniques included\n    access controls, configuration management, and independent validation and\n    verification of software changes to prevent or detect code errors, backdoors,\n    viruses, and malicious code. Results of the control techniques are discussed\n    below.\n\nAccess Controls\n    Access controls are the structures, policies, and procedures that provide\n    reasonable assurance that computer resources are protected against\n    vulnerabilities, such as unauthorized modification, disclosure, loss, or\n    impairment. Access controls address logical and physical controls.\n\n            Logical Controls. Logical controls use computer hardware and software\n    to prevent or detect unauthorized access by requiring users to input user\n    identification, passwords, or other identifiers that are linked to predetermined\n    system access privileges.\n\n           Physical Controls. Physical controls restrict the entry and exit of\n    personnel, equipment, and media from an area, such as an office building, suite,\n    data center, or room containing a local area network server. Examples of\n    physical controls are cipher locks, security badges, and security guards.\n    Inadequate access controls increase the vulnerability of DoD information\n    systems to external and internal sources that could execute unauthorized changes\n    to programs or introduce malicious code. To mitigate internal risk, access\n    controls should include a requirement for a background check.\n\n    Access Control Responses. DoD Components responded that 134 of the 159\n    contractor-renovated systems had access controls. Also, DoD responded that\n    personnel security background checks were completed for 121 systems.\n    Because DoD Components did not always implement access controls or verify\n    that background checks for the contractors were complete or up to date, the\n    effectiveness of the access control was diminished.\n\nConfiguration Management\n    Controls Over Y2K Modifications. DoD Components used configuration\n    management to control modifications to mission-critical system hardware and\n    software to ensure that systems were protected from improper modifications\n    prior to, during, and after Y2K renovation. According to the DoD Y2K\n    Management Plan, DoD Components were required to use configuration\n\n\n                                        19\n\x0c     management procedures to document all changes to information systems and\n     their components. Equally important was the need for each agency to assess\n     dependencies and to communicate all changes to the information systems to\n     internal and external users.\n\n     Configuration management procedures resulted in the documentation of a system\n     baseline that identified information system hardware, software, firmware\n     components, and external interfaces. Configuration management procedures\n     also provided the foundation for future security evaluations and established a\n     known reference point from which to make future accreditation decisions.\n\n     Configuration Control Responses. DoD Components reported using\n     configuration management procedures that ranged from the use of checklists,\n     tools, and sign-in/out sheets to acceptance testing for 150 of the 159 contractor-\n     renovated systems. Although risk mitigation is best accomplished by using\n     multiple control measures, the various Component responses indicate that there\n     is still a DoD-wide weakness in implementing a standard configuration\n     management program. A standard configuration management program should\n     consist of procedures that provide for authorizing, testing, and maintaining\n     software libraries.\n\nIndependent Verification and Validation\n     Independent verification and validation is an independent review of remediated\n     systems to determine whether those systems were Y2K compliant. Independent\n     verification and validation does not replace testing; rather, it is an independent\n     review that aids in testing by detecting uncorrected fields and lines of code.\n     Activities such as code scanning and virus scanning are considered to be\n     independent reviews that assisted in identifying lines of codes that had the\n     potential to be manipulated by internal and external threats.\n\n             Code and Virus Scanning. Code scanning can be part of the\n     independent verification and validation process to identify missed date fields,\n     identify invalid date-processing logic, and validate corrected code. Code\n     scanning includes sub-programs or copybooks, performing analysis to remove\n     false positives, reviewing and validating suspected error, and fixing identified\n     true errors. DoD Components also reported that they scanned code to detect\n     viruses in contractor-renovated systems. Virus scanning, however, does not\n     detect logic errors; logic errors should be detected during code scanning.\n\n     Code Validation and Verification Responses. DoD Components responded\n     that they used some form of independent verification and validation, code\n     scanning, or virus detection on only 106 systems of the 159 contractor-\n     renovated systems. Measures to prevent or detect code errors, viruses, or other\n     malicious activities cannot provide a level of effectiveness unless used.\n\n\n\n\n                                         20\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller/Chief Financial Officer)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n  Director, Program Analysis and Evaluation\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense, Chief Information Officer\n  Deputy Assistant Secretary of Defense, Security and Information Operations\n     Director, Defense-wide Information Assurance Program\nAssistant Secretary of Defense (Health Affairs)\n\nJoint Staff\nDirector, Joint Staff\n\nDepartment of the Army\nAssistant Secretary of the Army (Acquisition, Logistics, and Technology)\nCommander, U.S. Army Materiel Command\n   Commander, Army Aviation and Missile Command\n   Commander, Army Simulation, Training and Instrumentation Command\n   Commander, Logistics Support Activity\n   Commander, Army Communications-Electronics Command\nDirector, Military Traffic Management Command\nInspector General, Department of the Army\nAuditor General, Department of the Army\nChief Information Officer, Department of the Army\n\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Manpower and Reserve Affairs)\nCommander, Naval Air Systems Command\nCommander, Naval Sea Systems Command\nCommander, Naval Supply Systems Command\nCommander, Space and Naval Warfare Systems Command\nSuperintendent, Naval Postgraduate School\n\n\n\n\n                                        21\n\x0cDepartment of the Navy (con\xe2\x80\x99t)\nNaval Inspector General\n  Inspector General, Department of the Navy (Audit/Cost Management Division)\n  Deputy Naval Inspector General for Marine Corps Matters, Department of the Navy\nAuditor General, Department of the Navy\nChief Information Officer, Department of Navy\nChief Information Officer, Marine Corps\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nInspector General, Department of the Air Force\nAuditor General, Department of the Air Force\nChief Information Officer, Department of the Air Force\n\n\nUnified Commands\nInspector General, U.S. Central Command\nInspector General, U.S. Joint Forces Command\nInspector General, U.S. Pacific Command\nInspector General, U.S. Space Command\nInspector General, U.S. Southern Command\nInspector General, U.S. Special Operations Command\n\nOther Defense Organizations\nDefense, Contract Management Agency\nDirector, Defense Commissary Agency\nDirector, Defense Contract Audit Agency\nDefense, Finance and Accounting Service\nDirector, Defense Information Systems Agency\n   Inspector General, Defense Information Systems Agency\n   United Kingdom Liaison Officer, Defense Information Systems Agency\nDirector, Defense Logistics Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nDirector, Washington Headquarters Services\nDirector, DoD Human Resources Activity\nInspector General, Defense Intelligence Agency\nInspector General, Defense Threat Reduction Agency\nInspector General, National Imagery and Mapping Agency\n\n\n\n\n                                         22\n\x0cNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\n Office of Information and Regulatory Affairs\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Information, and Technology,\n  Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\n\n\n\n\n                                        23\n\x0c\x0cDepartment of the Air Force Comments\n\n\n\n\n                  25\n\x0c               Washington Headquarters Services\n               Comments\nFinal Report\n Reference\n\n\n\n\nManagement\nagreed to\nremove\nmarking.\n\n\n\n                                 26\n\x0c     Final Report\n      Reference\n\n\n\n\n     Omitted\n     because of\n     length.\n     Copies will\n     be provided\n     upon\n     request.\n\n\n\n\n     Management\n     agreed to\n     remove\n     marking.\n\n\n27\n\x0cArmy Military Traffic Management\nCommand Comments\n\n\n\n\n                 28\n\x0cAudit Team Members\n   The Acquisition Management Division Directorate, Office of the Assistant\n   Inspector General for Auditing, DoD, prepared this report.\n\n     Thomas F. Gimble\n     Mary Lu Ugone\n     Wanda A. Hopkins\n     Dianna J. Pearson\n     Richard B. Vasquez\n     JoAnn Henderson\n     H. George Cherry\n     Timothy Cole\n     Jamal Hall\n\x0c'